How to handle "invalid signature" in apt-get

Question

Following an update to Focal, I had to revisit /etc/apt/sources* to update my third party repositories.

One of the reposities is for the Yorba PPA at: https://launchpad.net/~yorba/+archive/ubuntu/ppa

Unfortunately I am no longer able to update from that repository:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Right so let's try and fix that problem - first remove the key I already had:

$ sudo rm -f /etc/apt/trusted.gpg.d/yorba_ubuntu_ppa.gpg
$ sudo apt-get update
[..truncated..]

W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 10975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Next, get the key again from the ubuntu key server:

$ sudo apt-key adv --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
Executing: /tmp/apt-key-gpghome.RKi7hJu0jl/gpg.1.sh --recv-keys --keyserver keys.gnupg.net 10975893E549B1AC
gpg: key 10975893E549B1AC: public key "Launchpad yorba" imported
gpg: Total number processed: 1
gpg:               imported: 1

All should be good to go now, right? Wrong. Same result as we started with:

$ sudo apt-get update
[..truncated..]
W: GPG error: http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release: The following signatures were invalid: 90B064CAE4CBA8A6C34F04D110975893E549B1AC
E: The repository 'http://ppa.launchpad.net/yorba/ppa/ubuntu vivid Release' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Anyone know what I'm doing wrong here? Is there something fundamentally wrong with that Yorba PPA?

-Michael

score 1 · Accepted Answer · answered May 16 '20 at 16:48

Is there something fundamentally wrong with that Yorba PPA?

Aside from it being an antique? ... No.

Well, that's exactly what's wrong here.

Note that signature itself is fine:

% gpg --no-default-keyring --keyring ./key.gpg --verify Release.gpg Release
gpg: Signature made Tue 31 Mar 2015 07:20:40 JST
gpg:                using RSA key 10975893E549B1AC
gpg: Good signature from "Launchpad yorba" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 90B0 64CA E4CB A8A6 C34F  04D1 1097 5893 E549 B1AC

But the way it was made is no longer fine:

% gpg --list-packets Release.gpg                                           
# off=0 ctb=88 tag=2 hlen=2 plen=156
:signature packet: algo 1, keyid 10975893E549B1AC
    version 4, created 1427754040, md5len 0, sigclass 0x00
    digest algo 2, begin of digest e2 e8
    hashed subpkt 2 len 4 (sig created 2015-03-30)
    subpkt 16 len 8 (issuer key ID 10975893E549B1AC)
    data: [1018 bits]

digest algo 2 is SHA-1, which is no longer consider secure, It's now an error to have Release signatures be made using SHA-1.

There's nothing new about this. It was already a warning in 16.04 (How to fix apt: Signature by key uses weak digest algorithm (SHA1)?):

# apt update
...
W: http://ppa.launchpad.net/yorba/ppa/ubuntu/dists/vivid/Release.gpg: Signature by key 90B064CAE4CBA8A6C34F04D110975893E549B1AC uses weak digest algorithm (SHA1)

And returned the same error in 18.04 as in 20.04.

score 0 · Answer 2 · answered May 16 '20 at 16:23

0

You can simply disable this PPA as it does not provide packages for your Ubuntu 20.04 LTS version.

Use

sudo add-apt-repository -r ppa:yorba/ppa

and then run sudo apt-get update followed by sudo apt-get upgrade as usual.

answered May 16 '20 at 16:23

N0rbert

103,263

How to handle "invalid signature" in apt-get

2 Answers2

Linked